Security Story

The Password Breach That Affected a Recruiting Platform's Whole Team

February 2026

TL;DR

A project management tool that a recruiting platform's team used got breached. Three team members had reused their work email passwords there, which led to credential stuffing attempts across the company's services. One account was successfully compromised before they caught it. The team implemented mandatory password managers and 2FA, and learned painful lessons about password hygiene.

The breach notification email seemed like routine spam at first. "Your data may have been compromised in a recent security incident." The engineering team at the recruiting platform had all gotten hundreds of these. This one was different.

The Chain Reaction

The breached service was a project management tool the team had used briefly two years ago. Most of the engineers had forgotten about it. But the email/password combinations were now in a database being sold on the dark web.

"One of the developers got an alert from Google that someone in Vietnam had tried to log into their account. Then the company Slack showed a login from an unfamiliar IP. Then AWS sent a suspicious activity warning. It was all connected."

Three team members had committed the cardinal sin: using the same password for the breached service and their work accounts. The attackers were running automated credential stuffing attacks across popular services.

What Got Compromised

One team member's GitHub account was accessed before anyone realized what was happening. The attacker had:

  • Read access to private repositories
  • Viewed some environment variable configurations
  • Potentially cloned repository contents

Fortunately, the platform's actual secrets were in a separate vault, not in the repos. But it was too close for comfort.

What Enabled the Attack

  • Password reuse across personal and work accounts
  • No mandatory 2FA policy for the team
  • Using personal emails for some work services
  • No monitoring for suspicious login attempts
  • Abandoned accounts on forgotten services

The Response

Once the team understood the scope, they moved fast:

  1. Immediate password resets: All team members reset passwords on all work services
  2. Session revocation: Logged out all sessions everywhere
  3. 2FA enforcement: Mandatory 2FA on all work accounts within 24 hours
  4. Audit logs review: Checked all services for unauthorized access
  5. API key rotation: Rotated all keys that might have been visible in repos

The New Policy

The recruiting platform implemented strict new requirements:

Team Security Requirements:
1. Password manager required (1Password Teams)
2. Unique password for every service
3. 2FA mandatory on all work accounts
4. Hardware keys (YubiKey) for critical services
5. Work email only for work services
6. Regular HaveIBeenPwned checks
7. Quarterly access review and cleanup

The team also set up alerts for breach notifications using services that monitor for company email addresses appearing in new breaches.

Key Lessons Learned
  • Password reuse is a ticking time bomb - every service you sign up for is a potential breach vector
  • Mandate password managers for teams - makes unique passwords practical
  • 2FA should be non-negotiable for work accounts
  • Monitor for team credentials in breach databases
  • Audit and delete accounts on services you no longer use
  • Use work emails only for work services

Checking If You're Affected

Everyone should regularly check if their credentials have been exposed:

  • HaveIBeenPwned.com: Check if your email appears in known breaches
  • Password manager breach monitoring: 1Password, Bitwarden, and others offer this
  • Google/Firefox password checkup: Both browsers can check saved passwords against breaches

If you find your credentials in a breach, change that password everywhere you've used it. Better yet, use a password manager so you never reuse passwords again.

How do credential stuffing attacks work?

Attackers take email/password pairs from one breach and automatically try them on many other services (Gmail, GitHub, AWS, etc.). Since many people reuse passwords, a surprising percentage of attempts succeed.

Is a password manager really necessary?

Yes. Humans can't remember unique, strong passwords for the dozens of services we use. Password managers make this practical and often catch when you try to reuse passwords or log into a phishing site.

What type of 2FA is most secure?

From most to least secure: hardware keys (YubiKey) > authenticator apps (Authy, Google Authenticator) > SMS codes. SMS is vulnerable to SIM swapping attacks, so avoid it for critical accounts if possible.

Related Articles

A Freelance Platform Founder's First Security Incident

A freelance platform founder's honest account of their first security incident. The panic, the mistakes made during resp

From Zero Security to Sleep-at-Night Confidence

A practical guide based on our journey from security-ignorant to security-confident. The specific steps that got us ther

An Indie Developer's GitHub Secrets Went Public

The story of an indie SaaS developer accidentally pushing secrets to a public GitHub repository. How it happened, how fa

When Someone Found a Health-Tech Startup's Unprotected Admin Panel

A stranger found a health-tech startup's admin panel at /admin with no authentication. They could see all patient data,

How Attackers Used AI to Breach 50,000 FortiGate Firewalls

In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it ma

Scan your vibe coded projects for security vulnerabilities and authentication issues.

Security Stories

The Password Breach That Affected a Recruiting Platform's Whole Team